[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Re: Call for Obligations
I understand that obligation means obligation. :) Anil Saldhana wrote: > My use cases in mind are the following(please correct me wherever my > understanding is wrong): > a) Legitimate authorization request arrives at the PEP. PEP invokes > the PDP. PDP comes back with 'PERMIT' and a set of obligations. PEP is > unable to fulfill 1 or more obligations. PEP issues an error. What > happened to the legitimate request? > b) PDP issues a 'PERMIT' with a logging obligation. PEP does not want > to log because performance considerations have been put forward and > logging is low priority for the PEP. PEP issues an error. > > These are the use cases that I feel that obligations can have an > optional tag such that PEP can be spec compliant in ignoring them. > > sampo@symlabs.com wrote: >> Anil Saldhana writes: >>> Has there been any work on obligations since xacml v2.0? >>> Some use cases: >>> Some of the things that pop up in mind with reference to obligations >>> are: >>> a) Auditing. (Common use case). >>> b) Deny further requests on a particular subject if the number of >>> unsuccessful authorization requests > n times. (More of a DOS use >>> case). - Blacklist a subject. >>> Priority among ObligationCategoryMembers: >>> http://wiki.oasis-open.org/xacml/DiscussionOnObligations >>> In the case of "encrypt" category, what if the PEP is unable to >>> encrypt using "3DES" but can do "blowfish"? I think there is scope >>> for levels of priority here with reference to obligation categories >>> for the various members. >>> Optional Obligations: >> >> How is an Obligation an obligation if it is optional? >> Perhaps better wording would be qualified or alternate obligations, >> e.g. either you MUST log or you MUST validate a digital >> signature (which MUST be present and valid). >> Cheers, >> --Sampo >>> I am also wondering if there is scope to specify whether a >>> particular obligation is required or optional. The reason is if a >>> particular PEP is not able to perform a particular obligation, then >>> it is non-reasonable to deny a particular access. A policy writer >>> should be able to specify obligations that are mandatory and some >>> that are optional(eg: logging for performance purposes). >> __________________________________________________________________ >> Sym | Sampo Kellomaki ______| Identity Architect, Federated SSO >> ____ | +351-918.731.007 ______| Liberty ID-WSF DirectoryScript >> labs | skype: sampo.kellomaki | LDAP SOAP PlainDoc Crypto C Perl > -- Anil Saldhana JBoss Security & Identity Management http://labs.jboss.com/portal/jbosssecurity/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]